Security Bulletin: Cross-Site Scripting and information disclosure vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for March 2022 (CVE-2021-29835, CVE-39046)

Summary

In addition to many updates of open source packages, the following security vulnerabilities are addressed with IBM Cloud Pak for Business Automation 21.0.2-IF009 and 21.0.3-IF007.

Vulnerability Details

CVEID:CVE-2021-29835
**DESCRIPTION:**IBM Business Automation Workflow 18.0, 19.0, 20.0, and 21.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 204833.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/204833 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2021-39046
**DESCRIPTION:**IBM Business Automation Workflow 18.0, 19.0, 20.0, and 21.0 and IBM Business Process Manager 8.5 and 8.6 stores user credentials in plain clear text which can be read by a lprivileged user. IBM X-Force ID: 214346.
CVSS Base score: 4.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214346 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

IBM Cloud Pak for Business Automation

| V21.0.3 - V21.0.3-IF006| affected
IBM Cloud Pak for Business Automation| V21.0.2 - V21.0.2-IF008| affected
IBM Cloud Pak for Business Automation|

V21.0.1 - V21.0.1-IF007
V20.0.1 - V20.0.3
V19.0.1 - V19.0.3
V18.0.0 - V18.0.2

| affected

Remediation/Fixes

The recommended solution is to apply the February 2022 security fix as soon as practical.

Workarounds and Mitigations

None